From 10863ad9e86e1c1c53433670fa2d80b44a2a3743 Mon Sep 17 00:00:00 2001
From: George Liu <eva2000@centminmod.com>
Date: Sat, 5 Aug 2017 05:12:32 +1000
Subject: [PATCH] update prep for ModSecurity v3.0 part 4

- add owasp modsecurity v3 rules https://github.com/SpiderLabs/owasp-modsecurity-crs
---
 centmin.sh           |  1 +
 inc/mod_security.inc | 14 ++++++++++++++
 2 files changed, 15 insertions(+)

diff --git a/centmin.sh b/centmin.sh
index fb5861832..d8d79a442 100755
--- a/centmin.sh
+++ b/centmin.sh
@@ -376,6 +376,7 @@ NGINX_HTTP2='y'              # Nginx http/2 patch https://community.centminmod.c
 NGINX_HTTPPUSH='n'           # Nginx http/2 push patch https://community.centminmod.com/threads/11910/
 NGINX_ZLIBNG='n'             # 64bit OS only for Nginx compiled against zlib-ng https://github.com/Dead2/zlib-ng
 NGINX_MODSECURITY='n'        # modsecurity module support https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX
+MODSECURITY_OWASPVER='3.0.2' # owasp modsecurity ruleset https://github.com/SpiderLabs/owasp-modsecurity-crs/releases
 NGINX_REALIP='y'             # http://nginx.org/en/docs/http/ngx_http_realip_module.html
 NGINX_RDNS='n'               # https://github.com/flant/nginx-http-rdns
 NGINX_NJS='n'                # nginScript https://www.nginx.com/blog/launching-nginscript-and-looking-ahead/
diff --git a/inc/mod_security.inc b/inc/mod_security.inc
index 0dde12eaa..1cf666c81 100644
--- a/inc/mod_security.inc
+++ b/inc/mod_security.inc
@@ -47,11 +47,25 @@ modsecurity_install() {
     mv /usr/local/nginx/modsec/modsecurity.conf-recommended /usr/local/nginx/modsec/modsecurity.conf
     # sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' /usr/local/nginx/modsec/modsecurity.conf
   fi
+  if [ ! -f "/usr/local/nginx/owasp-modsecurity-crs-${MODSECURITY_OWASPVER}/crs-setup.conf" ]; then
+    pushd "$DIR_TMP"
+    wget "https://github.com/SpiderLabs/owasp-modsecurity-crs/archive/v${MODSECURITY_OWASPVER}.tar.gz"
+    tar xvzf "v${MODSECURITY_OWASPVER}.tar.gz"
+    mv "owasp-modsecurity-crs-${MODSECURITY_OWASPVER}" /usr/local/nginx
+    ls -lah "/usr/local/nginx/owasp-modsecurity-crs-${MODSECURITY_OWASPVER}"
+    cp "/usr/local/nginx/owasp-modsecurity-crs-${MODSECURITY_OWASPVER}/crs-setup.conf.example" "/usr/local/nginx/owasp-modsecurity-crs-${MODSECURITY_OWASPVER}/crs-setup.conf"
+    ls -lah "/usr/local/nginx/owasp-modsecurity-crs-${MODSECURITY_OWASPVER}/rules/"
+    popd
+  fi
   if [ ! -f /usr/local/nginx/modsec/main.conf ]; then
 cat > "/usr/local/nginx/modsec/main.conf" <<EOF
 # Edit to set SecRuleEngine On
 Include "/usr/local/nginx/modsec/modsecurity.conf"
 
+# OWASP CRS v3 rules
+Include "/usr/local/nginx/owasp-modsecurity-crs-${MODSECURITY_OWASPVER}/crs-setup.conf"
+Include "/usr/local/nginx/owasp-modsecurity-crs-${MODSECURITY_OWASPVER}/rules/*.conf"
+
 # Basic test rule
 SecRule ARGS:testparam "@contains test" "id:1234,deny,status:403"
 EOF